{"data":{"id":"8ec0d49d-0251-4dc9-9620-7a99bf331cf6","title":"CVE-2026-42261: PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.","summary":"PromptHub versions 0.4.9 to before 0.5.4 contain an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into fetching URLs they control). An authenticated endpoint allows users to supply a URL that the server fetches and returns the response, but the security check meant to block private IP addresses (internal network addresses) can be bypassed using alternate IPv6 (internet protocol version 6, the newer internet addressing system) representations. Any registered user can exploit this, or anyone on the internet if registration is enabled.","solution":"Update to version 0.5.4 or later, which includes a patch for this vulnerability.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-42261","publishedAt":"2026-05-08T04:16:20.107Z","cveId":"CVE-2026-42261","cweIds":["CWE-20","CWE-693","CWE-918"],"cvssScore":"7.1","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["PromptHub"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-08T04:16:20.107Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}